Security News > 2022 > September > Domain shadowing becoming more popular among cybercriminals
Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.
These subdomains are then used to create malicious pages on the cybercriminals' servers while the domain owner's site's web pages and DNS records remain unchanged, and the owners don't realize they have been breached.
Unit 42 explains that detecting real cases of domain shadowing is particularly challenging, which makes the tactic so alluring for the perpetrators.
"We conclude from these results that domain shadowing is an active threat to the enterprise, and it is hard to detect without leveraging automated machine learning algorithms that can analyze large amounts of DNS logs." - Unit 42.
In one case, the domain owners realized the compromise, but not before numerous subdomains had been created and facilitated malicious operations on their infrastructure.
While protection from rogue subdomains is the responsibility of domain owners, registrars, and DNS service providers, it would be prudent for users always to be wary when submitting data.